Microsoft Issues Windows Security Patches For June
Microsoft Corp. today issued 10 security updates to mend flaws in its software products, including three "critical" fixes for problems found in most versions of its Windows operating systems. Microsoft rates a patch "critical" if hackers or computer worms can use it to take over a vulnerable machine without any action on the part of the user.
The free patches are available from Microsoft's Windows Update Web site. Home users should install them immediately. (If you don't, you could end up with a sick computer like the one I tried to resuscitate for a friend of mine the other day.)
You can make sure your Windows PC is updated automatically with the latest fixes from Redmond by following Microsoft's instructions on how to enable automatic updates.
Perhaps the most urgent patch for the average Windows home user is a bundle of security tweaks for Microsoft's Internet Explorer Web browser. Those fixes apply to IE versions running on nearly every version of Windows, including Windows 98, Windows 98 SE and Windows ME. The update fixes at least two troubles with IE, one of them rated "critical"; it involves a persistent problem in the way IE handles digital images that could let attackers take over an unpatched Windows machine just by getting the user's browser to display a specially-crafted picture.
Scam artists have used similar IE flaws to install spyware and other nasty things on Windows machines in the past, and are likely to do so with this flaw as well, said David Cole, director of product management for Symantec Security Response. Microsoft notes that instructions on how to exploit one of the IE flaws is already publicly available.
"This one's particularly nasty because images are automatically downloaded by the browser, so it's not like the user has to click on an attachment to get infected, they could just have stumbled on a malicious Web page" or visited a site hosting a tainted advertisement, Cole said. Last November, I wrote about hackers installing spyware on Windows machines by breaking into a company that serves banner ads for thousands of Web sites.
Another "critical" patch fixes a problem that has dogged the "HTML Help" feature in Windows, a function that uses Microsoft's Internet Explorer Web browser to display instructions for using a variety of computer programs. This flaw also is present in nearly all of the above-mentioned versions of Windows. Last month, I wrote about hackers using an earlier flaw in HTML Help to aid in a cyber-extortion scam targeting Windows users.
The final "critical" flaw patched today involves a problem in "server message block", which Windows uses to share files and printers across a network. This vulnerability could be used to power a network worm that spreads on its own over the Internet to unpatched systems; however, many Internet service providers routinely filter this type of traffic across their networks, so any worm leveraging this flaw would probably not spread as fast as it would have just a few years ago, Symantec's Cole said.
There is another glitch fixed in a patch rated "important" that probably deserves some attention from companies that use Microsoft's Exchange e-mail program. According to Microsoft, there's a flaw in the way the Webmail portion of this service works that could let attackers seize control over a vulnerable machine. However, the attackers would have to have a valid username and password for the target's Webmail system in order to take advantage of the glitch, Microsoft said.
It's not unusual for software patches to interfere with or break third-party software. One of the fixes released today -- a re-release of an April Microsoft patch -- may be incompatible with BlackICE on some Windows systems, according to information the company apparently passed on to the SANS Internet Storm Center. BlackIce is a software firewall product produced by Internet Security Systems. ISS says some Windows 2000 users running certain versions of BlackIce could find their firewall protection shut off if they install today's updates before upgrading to the latest edition of BlackIce. ISS urges potentially affected customers to update their version of BlackIce to the newest release, which it said does not have any conflicts with the patch.
Anyone who makes a regular habit of visiting Microsoft's security site will no doubt notice Microsoft has redecorated a bit. I can't decide if I like what they've done, but at first glance it appears to be an improvement. Stephen Toulouse, Microsoft's Security Program Manager, said the company made the changes in response to customer feedback. If you've got some thoughts on how Microsoft could make its site easier to navigate, they want to hear from you.
For the record, this month's batch of patches brings to 20 the total number of critical vulnerabilities Microsoft has identified in 2005. Last year, Microsoft released a total of 25 "critical" security fixes.
Posted by: Ken in Puyallup, WA | June 15, 2005 5:59 PM | Report abuse
Posted by: MORE-TRADE | June 29, 2005 7:58 AM | Report abuse
Posted by: MORE-TRADE | June 29, 2005 8:02 AM | Report abuse
Posted by: zeus | April 17, 2006 11:46 PM | Report abuse
The comments to this entry are closed.